package com.study.filter;

import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.owasp.esapi.ESAPI;


public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

  public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {

    super(servletRequest);

  }

  public String[] getParameterValues(String parameter) {

    String[] values = super.getParameterValues(parameter);

    if (values == null) {

      return null;

    }

    int count = values.length;

    String[] encodedValues = new String[count];

    for (int i = 0; i < count; i++) {

      encodedValues[i] = cleanXSS(values[i]);

    }

    return encodedValues;

  }

  public String getParameter(String parameter) {

    String value = super.getParameter(parameter);

    if (value == null) {

      return null;

    }

    return cleanXSS(value);

  }

  public String getHeader(String name) {

    String value = super.getHeader(name);

    if (value == null) {
      return null;
    }

    return cleanXSS(value);

  }

//    private String cleanXSS(String value) {
//
//        //You'll need to remove the spaces from the html entities below
//
//        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
//
//        value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
//
//        value = value.replaceAll("'", "& #39;");
//
//        value = value.replaceAll("eval\\((.*)\\)", "");
//
//        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
//
//        value = value.replaceAll("script", "");
//
//        return value;
//
//    }

  private String cleanXSS(String value) {
    if (value != null) {
      // 推荐使用ESAPI库来避免脚本攻击
      value = ESAPI.encoder().canonicalize(value);

      // 避免空字符串
      value = value.replaceAll("", "");

      // 避免script 标签
      Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
      value = scriptPattern.matcher(value).replaceAll("");

      // 避免src形式的表达式
      scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
          Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
      value = scriptPattern.matcher(value).replaceAll("");

      scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
          Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
      value = scriptPattern.matcher(value).replaceAll("");

      // 删除单个的 </script> 标签
      scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
      value = scriptPattern.matcher(value).replaceAll("");

      // 删除单个的<script ...> 标签
      scriptPattern = Pattern
          .compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
      value = scriptPattern.matcher(value).replaceAll("");

      // 避免 eval(...) 形式表达式
      scriptPattern = Pattern.compile("eval\\((.*?)\\)",
          Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
      value = scriptPattern.matcher(value).replaceAll("");

      // 避免 e­xpression(...) 表达式
      scriptPattern = Pattern.compile("expression\\((.*?)\\)",
          Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
      value = scriptPattern.matcher(value).replaceAll("");

      // 避免 javascript: 表达式
      scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
      value = scriptPattern.matcher(value).replaceAll("");

      // 避免 vbscript: 表达式
      scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
      value = scriptPattern.matcher(value).replaceAll("");

      // 避免 οnlοad= 表达式
      scriptPattern = Pattern
          .compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
      value = scriptPattern.matcher(value).replaceAll("");

      // 避免 onXX= 表达式
      scriptPattern = Pattern
          .compile("on.*(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
      value = scriptPattern.matcher(value).replaceAll("");

    }
    return value;
  }
}